LPIC-2 Objectives V5.0: Difference between revisions

From LPI Wiki
Jump to navigationJump to search
Newer edit →
Copy of version 4.5
 
Update of exam 201
Line 28: Line 28:
==Version Information==
==Version Information==


These objectives are version 4.5.0.  This version is to go live on February 13th, 2017.
These objectives are A DRAFT version 5.0.0.
 
This is also a [[LPIC-2_Summary_Version_4.0_To_4.5|summary and detailed information]] on the changes from version 4.0.x to 4.5.0 of the objectives.
 
The [[LPIC-2_Objectives_V4|version 4.0 of the LPIC-2 Objectives]] are still online.


<br />
<br />
Line 38: Line 34:
==Addenda==
==Addenda==


===''Version Update (February 13th, 2017)''===
<br />
<br />


* updated to version 4.5.0
==Translations of Objectives==  
 
<br /><br />
 
==Translations of Objectives==


The following translations of the objectives are available on this wiki:
The following translations of the objectives are available on this wiki:


* [[LPIC-2_Objectives_V4.5|English]]
* [[LPIC-2_Objectives_V5.0|English]]
 
* [[LPIC-2_Objectives_V4.5(ES)|Spanish]]
 
* [[LPIC-2_Objectives_V4.5(FR)|French]]
 
* [[LPIC-2_Objectives_V4.5(DE)|German]]
 
* [[LPIC-2_Objectives_V4.5(PT-BR)|Portuguese]]


If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]
If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]


<br /><br />
<br />
<br />


==Objectives: Exam 201==
==Objectives: Exam 201==


===''Topic 200: Capacity Planning''===
===''Topic 200: System Startup''===


====<span style="color:navy">200.1 Measure and Troubleshoot Resource Usage (weight: 6)</span>====
====<span style="color:navy">200.1 Linux Kernel (weight: 2)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 6
| style="background:#eaeaea" | 2
|-
|-
| style="background:#dadada; padding-right:1em" |  
| style="background:#dadada; padding-right:1em" | '''Description'''
 
'''Description'''
 
| style="background:#eaeaea" |
 
Candidates should be able to measure hardware resource and network bandwidth, identify and troubleshoot resource problems.


| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Measure CPU usage.
* Understanding the Linux starup process


* Measure memory usage.
* Understanding the Linux kernel architecture, including kernel modules


* Measure disk I/O.
* Linux kernel release and versioning scheme


* Measure network I/O.
* Linux kernel modules


* Measure firewalling and routing throughput.
* DKMS


* Map client bandwidth usage.
* udev


* Match / correlate system symptoms with likely problems.
'''Partial list of the used files, terms and utilities:'''


* Estimate throughput and identify bottlenecks in a system including networking.
* Bootloader


'''The following is a partial list of the used files, terms and utilities:'''
* Kernel


* iostat
* Initramfs


* iotop
* Init


* vmstat
* Udev


* netstat
* mkinitramfs


* ss
* uname


* iptraf
* Module configuration files in /etc/


* pstree, ps
* modules.dep


* w
* depmod


* lsof
* modinfo


* top
* modprobe


* htop
* insmod


* uptime
* lsmod


* sar
* rmmod


* swap
* dmesg


* processes blocked on I/O
* lshw


* blocks in
* lspci


* blocks out
* lsusb


<br />
* udevmonitor


====<span style="color:navy">200.2 Predict Future Resource Needs (weight: 2)</span>====
* udevadm monitor


{|
* /etc/udev
| style="background:#dadada" |


'''Weight'''
* /proc


| style="background:#eaeaea" | 2
* /proc/sys
|-
| style="background:#dadada; padding-right:1em" |


'''Description'''
* /etc/sysctl.conf, /etc/sysctl.conf.d/


| style="background:#eaeaea" |
* sysctl


Candidates should be able to monitor resource usage to predict future resource needs.
<br />


|}
====<span style="color:navy">200.2 Sytemd Startup Configuration (weight: 4)</span>====


'''Key Knowledge Areas:'''
{|
| style="background:#dadada" |


* Use monitoring and measurement tools to monitor IT infrastructure usage.
'''Weight'''


* Predict capacity break point of a configuration.
| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
 
| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}
 
'''Key Knowledge Areas:'''
 
* Systemd concepts


* Observe growth rate of capacity usage.
* Systemd unit types (Service, Socket, Target, Slice)


* Graph the trend of capacity usage.
* Systemd System and User Slices


* Awareness of monitoring solutions such as Icinga2, Nagios, collectd, MRTG and Cacti
* Systemd Override and Drop-In Units


'''The following is a partial list of the used files, terms and utilities:'''
* Awareness of SystemV init and OpenRC


* diagnose
'''Partial list of the used files, terms and utilities:'''


* predict growth
* /usr/lib/systemd/


* resource exhaustion
* /etc/systemd/
 
* /run/systemd/
 
* systemctl
 
* systemd-delta


<br />
<br />
<br />


===''Topic 201: Linux Kernel''===
====<span style="color:navy">200.3 Bootloaders and System recovery (weight: 4)</span>====
 
====<span style="color:navy">201.1 Kernel components (weight: 2)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to utilise kernel components that are necessary to specific hardware, hardware drivers, system resources and requirements. This objective includes implementing different types of kernel images, understanding stable and longterm kernels and patches, as well as using kernel modules.
| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options.  Candidates should be able to determine the cause of errors in loading and usage of bootloaders.  GRUB version 2 and GRUB Legacy are the bootloaders of interest.  Both BIOS and UEFI systems are covered.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Kernel 2.6.x, 3.x and 4.x documentation
* BIOS and UEFI


'''The following is a partial list of the used files, terms and utilities:'''
* GRUB version 2


* /usr/src/linux/
* GRUB shell


* /usr/src/linux/Documentation/
* GRUB configuration


* zImage
* GRUB password security


* bzImage
* systemd-boot installation


* xz compression
* systemd-boot configuration


<br />
* boot loader start and hand off to kernel


====<span style="color:navy">201.2 Compiling a Linux kernel (weight: 3)</span>====
* kernel loading


{|
* hardware initialisation and setup
| style="background:#dadada" |


'''Weight'''
* daemon/service initialisation and setup


| style="background:#eaeaea" | 3
* Know the different boot loader install locations on a hard disk or removable device.
|-
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to properly configure a kernel to include or disable specific features of the Linux kernel as necessary. This objective includes compiling and recompiling the Linux kernel as needed, updating and noting changes in a new kernel, creating an initrd image and installing new kernels.
* Overwrite standard boot loader options and using boot loader shells.
|}


'''Key Knowledge Areas:'''
* Use systemd rescue and emergency modes.


* /usr/src/linux/
'''Partial list of the used files, terms and utilities:'''


* Kernel Makefiles
* mount


* Kernel 2.6.x, 3.x and 4.x make targets
* fsck


* Customize the current kernel configuration.
* The contents of /boot/, /boot/grub/ and /boot/efi/


* Build a new kernel and appropriate kernel modules.
* EFI System Partition (ESP)


* Install a new kernel and any modules.
* GRUB


* Ensure that the boot manager can locate the new kernel and associated files.
* grub-install


* Module configuration files
* bootctl


* Use DKMS to compile kernel modules.
* loader.conf


* Awareness of dracut
* efibootmgr


'''The following is a partial list of the used files, terms and utilities:'''
* efivar


* mkinitrd
* UEFI shell


* mkinitramfs
* initrd, initramfs


* make
* Master boot record


* make targets (all, config, xconfig, menuconfig, gconfig, oldconfig, mrproper, zImage, bzImage, modules, modules_install, rpm-pkg, binrpm-pkg, deb-pkg)
* systemctl
 
* gzip
 
* bzip2
 
* module tools
 
* /usr/src/linux/.config
 
* /lib/modules/kernel-version/
 
* depmod
 
* dkms


<br />
<br />


====<span style="color:navy">201.3 Kernel runtime management and troubleshooting (weight: 4)</span>====
====<span style="color:navy">200.4 Alternate Bootloaders (weight: 2)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 4
| style="background:#eaeaea" | 2
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to manage and/or query a 2.6.x, 3.x or 4.x kernel and its loadable modules.  Candidates should be able to identify and correct common boot and run time issues. Candidates should understand device detection and management using udev. This objective includes troubleshooting udev rules.  
| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Use command-line utilities to get information about the currently running kernel and kernel modules.
* SYSLINUX, ISOLINUX, PXELINUX


* Manually load and unload kernel modules.
* Understanding of PXE and iPXE for both BIOS and UEFI


* Determine when modules can be unloaded.
'''Partial list of the used files, terms and utilities:'''


* Determine what parameters a module accepts.
* syslinux


* Configure the system to load modules by names other than their file name.
* extlinux


* /proc filesystem
* isolinux.bin


* Content of /, /boot/ , and /lib/modules/
* isolinux.cfg


* Tools and utilities to analyse information about the available hardware
* isohdpfx.bin


* udev rules
* efiboot.img


'''The following is a partial list of the used files, terms and utilities:'''
* pxelinux.0


* /lib/modules/kernel-version/modules.dep
* pxelinux.cfg/


* module configuration files in /etc/
* uefi/shim.efi


* /proc/sys/kernel/
* uefi/grubx64.efi


* /sbin/depmod
<br/>
<br/>


* /sbin/rmmod
===''Topic 201: Filesystem and Devices''===


* /sbin/modinfo
====<span style="color:navy">203.1 Operating the Linux filesystem (weight: 4)</span>====


* /bin/dmesg
{|
| style="background:#dadada" |


* /sbin/lspci
'''Weight'''
 
| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''


* /usr/bin/lsdev
| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}


* /sbin/lsmod
'''Key Knowledge Areas:'''


* /sbin/modprobe
* The concept of the fstab configuration


* /sbin/insmod
* The concept of systemd mount and swap units


* /bin/uname
* Configuring systemd automount units


* /usr/bin/lsusb
* Tools and utilities for handling swap partitions and files


* /etc/sysctl.conf, /etc/sysctl.d/
* Use of UUIDs for identifying and mounting file systems


* /sbin/sysctl
'''Partial list of the used files, terms and utilities:'''


* udevmonitor
* /etc/fstab


* udevadm monitor
* /etc/mtab


* /etc/udev/
* /proc/mounts


<br />
* mount and umount
<br />


===''Topic 202: System Startup''===
* blkid


====<span style="color:navy">202.1 Customizing system startup (weight: 3)</span>====
* sync


{|
* swapon
| style="background:#dadada" |


'''Weight'''
* swapoff
 
* systemctl
 
<br />
 
====<span style="color:navy">203.2 Storage Device Integrity and Encryption (weight: 3)</span>====
 
{|
| style="background:#dadada" |
 
'''Weight'''


| style="background:#eaeaea" | 3
| style="background:#eaeaea" | 3
Line 369: Line 358:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to query and modify the behaviour of system services at various targets / run levels. A thorough understanding of the systemd, SysV Init and the Linux boot process is required. This objective includes interacting with systemd targets and SysV init run levels.
| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Systemd
* Query, understand and monitor SMART values


* SysV init
* Understand the concepts and disk and file system encryption


* Linux Standard Base Specification (LSB)
* Understand the concepts of dm-crypt and LUKS


* Use LUKS to encrypt storage devices


'''The following is a partial list of the used files, terms and utilities:'''
* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)


* /usr/lib/systemd/
* Awareness of WWID, WWN, LUN numbers


* /etc/systemd/
'''Partial list of the used files, terms and utilities:'''


* /run/systemd/
* smartd


* systemctl
* smartctl


* systemd-delta
* cryptsetup


* /etc/inittab
* /etc/crypttab


* /etc/init.d/
<br />
<br />


* /etc/rc.d/
===''Topic 202: Advanced Storage Device Administration''===


* chkconfig
====<span style="color:navy">204.1 Configuring RAID (weight: 4)</span>====
 
* update-rc.d
 
* init and telinit
 
<br />
 
====<span style="color:navy">202.2 System recovery (weight: 4)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''
Line 418: Line 401:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options.  Candidates should be able to determine the cause of errors in loading and usage of bootloaders.  GRUB version 2 and GRUB Legacy are the bootloaders of interest.  Both BIOS and UEFI systems are covered.
| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* BIOS and UEFI
* Software RAID configuration files and utilities


* NVMe booting
* Understanding the RAID levels 0, 1, 5 and 10


* GRUB version 2 and Legacy
* Awareness of the RAID levels 6, 7 and 50


* grub shell
* Recovery of a failed RAID device


* boot loader start and hand off to kernel
* Replacement of a failed disk within a RAID device


* kernel loading
'''Partial list of the used files, terms and utilities:'''


* hardware initialisation and setup
* mdadm.conf


* daemon/service initialisation and setup
* mdadm


* Know the different boot loader install locations on a hard disk or removable device.
* /proc/mdstat


* Overwrite standard boot loader options and using boot loader shells.
* partition type 0xFD


* Use systemd rescue and emergency modes.
<br />


'''The following is a partial list of the used files, terms and utilities:'''
====<span style="color:navy">204.2 Logical Volume Manager (weight: 4)</span>====


* mount
{|
| style="background:#dadada" |


* fsck
'''Weight'''


* inittab, telinit and init with SysV init
| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''


* The contents of /boot/, /boot/grub/ and /boot/efi/
| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}


* EFI System Partition (ESP)
'''Key Knowledge Areas:'''


* GRUB
* Tools in the LVM suite


* grub-install
* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes
 
* Creating and maintaining snapshots
 
* Activating volume groups
 
'''Partial list of the used files, terms and utilities:'''
 
* /sbin/pv*


* efibootmgr
* /sbin/lv*


* UEFI shell
* /sbin/vg*


* initrd, initramfs
* mount


* Master boot record
* /dev/mapper/


* systemctl
* lvm.conf


<br />
<br />


====<span style="color:navy">202.3 Alternate Bootloaders (weight: 2)</span>====
====<span style="color:navy">204.3 Basic ZFS Operations (weight: 2)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''
Line 484: Line 479:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.  
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* SYSLINUX, ISOLINUX, PXELINUX
* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features


* Understanding of PXE for both BIOS and UEFI
'''Partial list of the used files, terms and utilities:'''


* Awareness of systemd-boot and U-Boot
* VDEV
* Zpools
* zfs


'''The following is a partial list of the used files, terms and utilities:'''
<br />
<br />


* syslinux
===''Topic 203: Advanced Networking Configuration''===


* extlinux
====<span style="color:navy">205.1 Runtime networking configuration (weight: 3)</span>====


* isolinux.bin
{|
| style="background:#dadada" |


* isolinux.cfg
'''Weight'''


* isohdpfx.bin
| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''


* efiboot.img
| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}


* pxelinux.0
'''Key Knowledge Areas:'''


* pxelinux.cfg/
* Understand IPv4 and IPv6 addressing and routing


* uefi/shim.efi
* Manage wireless network interfaces


* uefi/grubx64.efi
* Manage links, addresses and routes using iproute2


<br/>
* Awareness of VLANs, bridges and bonds
<br/>


===''Topic 203: Filesystem and Devices''===
'''Partial list of the used files, terms and utilities:'''


====<span style="color:navy">203.1 Operating the Linux filesystem (weight: 4)</span>====
* ip


{|
* iw
| style="background:#dadada" |


'''Weight'''
* iwconfig


| style="background:#eaeaea" | 4
* iwlist
|-
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types.
* wpa_supplicant
|}


'''Key Knowledge Areas:'''
* iwd


* The concept of the fstab configuration
<br />
 
====<span style="color:navy">205.2 Persistent Network Configuration (weight: 4)</span>====
 
{|
| style="background:#dadada" |
 
'''Weight'''
 
| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
 
| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}
 
'''Key Knowledge Areas:'''


* Tools and utilities for handling swap partitions and files
* Understand the architecture and configuration of NetworkMananger


* Use of UUIDs for identifying and mounting file systems
* Understand the architecture and configuration of systemd-networkd and systemd-resolved


* Understanding of systemd mount units
* Configure manual IPv4 and IPv6 addresses and routes


'''The following is a partial list of the used files, terms and utilities:'''
* Configure automatic IPv4 and IPv6 configuration


* /etc/fstab
'''Partial list of the used files, terms and utilities:'''


* /etc/mtab
* nmcli


* /proc/mounts
* nmtui


* mount and umount
* systemctl


* blkid
* networkctl


* sync
* resolvectl


* swapon
* hostnamectl


* swapoff
* Systemd network units


<br />
<br />


====<span style="color:navy">203.2 Maintaining a Linux filesystem (weight: 3)</span>====
====<span style="color:navy">205.3 Network Troubleshooting (weight: 4)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 3
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to properly maintain a Linux filesystem using system utilities. This objective includes manipulating standard filesystems and monitoring SMART devices.
| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Tools and utilities to manipulate and ext2, ext3 and ext4
* Determine what network configuration framework a system use
 
* Utilities to gain information about the network configuration


* Tools and utilities to perform basic Btrfs operations, including subvolumes and snapshots
* Identify common issues in network configuration and relate symptoms to configuration issues


* Tools and utilities to manipulate XFS
* Awareness of ifupdown, Wicked and netplan


* Awareness of ZFS
'''Partial list of the used files, terms and utilities:'''


'''The following is a partial list of the used files, terms and utilities:'''
* ip
 
* ping


* mkfs (mkfs.*)
* ss


* mkswap
* lsof


* fsck (fsck.*)
* nc


* tune2fs, dumpe2fs and debugfs
* /etc/network/interfaces, /etc/sysconfig/network-scripts


* btrfs, btrfs-convert
* mtr


* xfs_info, xfs_check, xfs_repair, xfsdump and xfsrestore
* hostname


* smartd, smartctl
* /etc/resolv.conf
 
* /etc/hosts
 
* /etc/hostname, /etc/HOSTNAME


<br />
<br />
<br />


====<span style="color:navy">203.3 Creating and configuring filesystem options (weight: 2)</span>====
===''Topic 204: System Maintenance''===
 
====<span style="color:navy">204.1 Make and install programs from source (weight: 2)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''
Line 619: Line 646:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure automount filesystems using AutoFS. This objective includes configuring automount for network and device filesystems. Also included is creating filesystems for devices such as CD-ROMs and a basic feature knowledge of encrypted filesystems.
| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* autofs configuration files
* Unpack source code using common compression and archive utilities.


* Understanding of automount units
* Understand basics of invoking make to compile programs.


* UDF and ISO9660 tools and utilities
* Apply parameters to a configure script.


* Awareness of other CD-ROM filesystems (HFS)
* Know where sources are stored by default.


* Awareness of CD-ROM filesystem extensions (Joliet, Rock Ridge, El Torito)
'''Partial list of the used files, terms and utilities:'''


* Basic feature knowledge of data encryption (dm-crypt / LUKS)
* /usr/src/


'''The following is a partial list of the used files, terms and utilities:'''
* gunzip


* /etc/auto.master
* gzip
 
* bzip2
 
* xz
 
* tar
 
* configure


* /etc/auto.[dir]
* make


* mkisofs
* uname


* cryptsetup
* install
 
* patch


<br />
<br />
<br />
===''Topic 204: Advanced Storage Device Administration''===


====<span style="color:navy">204.1 Configuring RAID (weight: 3)</span>====
====<span style="color:navy">204.2 Backup operations (weight: 3)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''
Line 662: Line 696:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Software RAID configuration files and utilities
* Understand the conepts of backups, including common backup strategies


'''The following is a partial list of the used files, terms and utilities:'''
* Knowledge about directories that have to be included in backups


* mdadm.conf
* Understand application aspects of backup consistency


* mdadm
* Understand how to leverage file system or block device snapshots for backups


* /proc/mdstat
* Awareness of borg, including features and use cases


* partition type 0xFD
* Awareness of network backup solutions such as Bacula, Bareos and BackupPC


<br />
* Knowledge of the benefits and drawbacks of tapes, disks or other backup media


====<span style="color:navy">204.2 Adjusting Storage Device Access (weight: 2)</span>====
* Perform partial and manual backups using Linux standard tools


{|
* Verify the integrity of backup files
| style="background:#dadada" |


'''Weight'''
* Partially or fully restore backups


| style="background:#eaeaea" | 2
'''Partial list of the used files, terms and utilities:'''
|-
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure kernel options to support various drives. This objective includes software tools to view & modify hard disk settings including iSCSI devices.
* Full, differential and incremental backups
|}


'''Key Knowledge Areas:'''
* dd


* Tools and utilities to configure DMA for IDE devices including ATAPI and SATA
* tar


* Tools and utilities to configure Solid State Drives including AHCI and NVMe
* /dev/st* and /dev/nst*


* Tools and utilities to manipulate or analyse system resources (e.g. interrupts)
* mt


* Awareness of sdparm command and its uses
* rsync


* Tools and utilities for iSCSI
<br />


* Awareness of SAN, including relevant protocols (AoE, FCoE)
====<span style="color:navy">204.3 Resource Management (weight: 4)</span>====


'''The following is a partial list of the used files, terms and utilities:'''
{|
| style="background:#dadada" |


* hdparm, sdparm
'''Weight'''


* nvme
| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |
 
'''Description'''


* tune2fs
| style="background:#eaeaea" |


* fstrim
Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.


* sysctl
|}


* /dev/hd*, /dev/sd*, /dev/nvme*
'''Key Knowledge Areas:'''


* iscsiadm, scsi_id, iscsid and iscsid.conf
* Measure CPU, memory, disk and I/O usage.


* WWID, WWN, LUN numbers
* Match / correlate system symptoms with likely problems.
<br />


====<span style="color:navy">204.3 Logical Volume Manager (weight: 3)</span>====
* Estimate throughput and identify bottlenecks in a system including networking.


{|
* Manage resource consumption of systemd slices, scopes and services
| style="background:#dadada" |


'''Weight'''
* Awareness of Cgroups


| style="background:#eaeaea" | 3
'''Partial list of the used files, terms and utilities:'''
|-
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
* iostat
|}


'''Key Knowledge Areas:'''
* iotop


* Tools in the LVM suite
* vmstat


* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes
* netstat


* Creating and maintaining snapshots
* ss


* Activating volume groups
* iptraf


'''The following is a partial list of the used files, terms and utilities:'''
* pstree, ps


* /sbin/pv*
* w


* /sbin/lv*
* lsof


* /sbin/vg*
* top


* mount
* htop


* /dev/mapper/
* uptime


* lvm.conf
* sar
 
* swap
 
* systemctl
 
* systemd-cgls
 
* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs
 
* MemoryMin, MemoryLow, MemoryHigh, MemoryMax
 
* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec


<br />
<br />
<br />
<br />  


===''Topic 205: Networking Configuration''===
===''Topic 205: Configuration Management''===


====<span style="color:navy">205.1 Basic networking configuration (weight: 3)</span>====
====<span style="color:navy">205.1 Ansible Basics (weight: 4)</span>====


{|
{|
Line 782: Line 824:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure a network device to be able to connect to a local, wired or wireless, and a wide-area network. This objective includes being able to communicate between various subnets within a single network including both IPv4 and IPv6 networks.
| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Utilities to configure and manipulate ethernet network interfaces
* Understand the principles of automated system configuration and software installation
 
* Understand how Ansible interacts with remote systems


* Configuring basic access to wireless networks
* Understand the requirements of Ansible on a target node


'''The following is a partial list of the used files, terms and utilities:'''
* Create and maintain inventory files


* ip
* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers


* ifconfig
* Awareness of dynamic inventory


* route
* Awareness of cloud-init


* arp
'''Partial list of the used files, terms and utilities:'''


* iw
* ansible.cfg


* iwconfig
* ansible-playbook


* iwlist
* ansible-doc


<br />
<br />  


====<span style="color:navy">205.2 Advanced Network Configuration (weight: 4)</span>====
====<span style="color:navy">205.2 Ansible Modules (weight: 3)</span>====


{|
{|
Line 816: Line 860:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 4
| style="background:#eaeaea" | 3
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure a network device to implement various network authentication schemes. This objective includes configuring a multi-homed network device and resolving communication problems.
| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Utilities to manipulate routing tables
* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy


* Utilities to configure and manipulate ethernet network interfaces
* Understand and use important Ansible tasks


* Utilities to analyse the status of the network devices
'''Partial list of the used files, terms and utilities:'''


* Utilities to monitor and analyse the TCP/IP traffic
* file


'''The following is a partial list of the used files, terms and utilities:'''
* copy
 
* template


* ip
* ini_file


* ifconfig
* lineinfile


* route
* patch


* arp
* replace


* ss
* user


* netstat
* group


* lsof
* command


* ping, ping6
* shell


* nc
* service


* tcpdump
* systemd


* nmap
* cron


<br />
* apt


====<span style="color:navy">205.3 Troubleshooting network issues (weight: 4)</span>====
* debconf
 
* yum
 
* git
 
* debug
 
* ansible-galaxy
 
<br />
 
====<span style="color:navy">205.3 Ansible Templates and Variables (weight: 4)</span>====


{|
{|
Line 870: Line 928:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues, to include knowledge of locations for basic configuration files and commands.
| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Location and content of access restriction files
* Set and use variables and facts


* Utilities to configure and manipulate ethernet network interfaces
* Maintain secrets using Ansible vaults


* Utilities to manage routing tables
* Write Jinja2 templates, including using common filters, loops and conditionals


* Utilities to list network states.
'''Partial list of the used files, terms and utilities:'''


* Utilities to gain information about the network configuration
* Jinja2 syntax


* Methods of information about the recognised and used hardware devices
* ansible-vault


* System initialisation files and their contents (Systemd and SysV init)
<br />
<br />


* Awareness of NetworkManager and its impact on network configuration
==Objectives: Exam 202==


'''The following is a partial list of the used files, terms and utilities:'''
===''Topic 207: Domain Name Server''===


* ip
====<span style="color:navy">207.1 Basic DNS server configuration (weight: 3)</span>====


* ifconfig
{|
| style="background:#dadada" |


* route
'''Weight'''


* ss
| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''


* netstat
| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}


* /etc/network/, /etc/sysconfig/network-scripts/
'''Key Knowledge Areas:'''


* ping, ping6
* BIND 9.x configuration files, terms and utilities


* traceroute, traceroute6
* Defining the location of the BIND zone files in BIND configuration files


* mtr
* Reloading modified configuration and zone files
 
* Awareness of dnsmasq and PowerDNS as alternate name servers


* hostname
'''The following is a partial list of the used files, terms and utilities:'''


* System log files such as /var/log/syslog, /var/log/messages and the systemd journal
* named.conf


* dmesg
* rndc


* /etc/resolv.conf
* named-checkconf


* /etc/hosts
* kill


* /etc/hostname, /etc/HOSTNAME
* host


* /etc/hosts.allow, /etc/hosts.deny
* dig


<br />
<br />
<br />


===''Topic 206: System Maintenance''===
====<span style="color:navy">207.2 Create and maintain DNS zones (weight: 3)</span>====
 
====<span style="color:navy">206.1 Make and install programs from source (weight: 2)</span>====


{|
{|
Line 937: Line 999:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 3
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Unpack source code using common compression and archive utilities.
* BIND 9 configuration files, terms and utilities


* Understand basics of invoking make to compile programs.
* Utilities to request information from the DNS server


* Apply parameters to a configure script.
* Layout, content and file location of the BIND zone files


* Know where sources are stored by default.
* Various methods to add a new host in the zone files, including reverse zones


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* /usr/src/
* /var/named/


* gunzip
* zone file syntax


* gzip
* resource record formats


* bzip2
* named-checkzone


* xz
* named-compilezone


* tar
* masterfile-format


* configure
* dig


* make
* host
 
* uname
 
* install
 
* patch


<br />
<br />


====<span style="color:navy">206.2 Backup operations (weight: 3)</span>====
====<span style="color:navy">207.3 Securing a DNS server (weight: 2)</span>====


{|
{|
Line 987: Line 1,043:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 3
| style="background:#eaeaea" | 2
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.  
| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Knowledge about directories that have to be included in backups
* BIND 9 configuration files


* Awareness of network backup solutions such as Amanda, Bacula, Bareos and BackupPC
* Split configuration of BIND using the forwarders statement


* Knowledge of the benefits and drawbacks of tapes, CDR, disk or other backup media
* Configuring and using transaction signatures (TSIG)


* Perform partial and manual backups.
* Awareness of DNSSEC and basic tools


* Verify the integrity of backup files.
* Awareness of DANE and related records
 
* Partially or fully restore backups.


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* /bin/sh
* /etc/named.conf


* dd
* DNSSEC


* tar
* dnssec-keygen


* /dev/st* and /dev/nst*
* dnssec-signzone


* mt
<br />
<br />


* rsync
===''Topic 208: HTTP Services''===
 
<br />


====<span style="color:navy">206.3 Notify users on system-related issues (weight: 1)</span>====
====<span style="color:navy">208.1 HTTP Protocol (weight: 2)</span>====


{|
{|
Line 1,031: Line 1,084:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 1
| style="background:#eaeaea" | 2
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to notify the users about current issues related to the system.  
| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.  
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Automate communication with users through logon messages.
* Understanding the principles of HTTP version 1.1 and HTTP version 2.0


* Inform active users of system maintenance
* Understanding the principle of virtual hosts
 
* Application Server Integration


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* /etc/issue
* HTTP methods and status codes


* /etc/issue.net
* HTTP headers


* /etc/motd
* HTTP cookies


* wall
* CGI, FastCGI, WSGI, AJP


* shutdown
<br />


* systemctl
====<span style="color:navy">208.2 HTTPS, PKI and TLS (weight: 4)</span>====


<br />
{|
<br />
| style="background:#dadada" |


==Objectives: Exam 202==
'''Weight'''


===''Topic 207: Domain Name Server''===
| style="background:#eaeaea" | 4
 
====<span style="color:navy">207.1 Basic DNS server configuration (weight: 3)</span>====
 
{|
| style="background:#dadada" |
 
'''Weight'''
 
| style="background:#eaeaea" | 3
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.  
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* BIND 9.x configuration files, terms and utilities
* Cyptographic concenpts


* Defining the location of the BIND zone files in BIND configuration files
* TLS and SNI


* Reloading modified configuration and zone files
* X.509 certificates, including important fields for HTTPS


* Awareness of dnsmasq, djbdns and PowerDNS as alternate name servers
* PKI


'''The following is a partial list of the used files, terms and utilities:'''
* Generate a self-signed Certificate


* /etc/named.conf
* Generate a server private key and CSR for a commercial CA


* /var/named/
* Install the key and certificate, including intermediate CAs


* rndc
* Let's Encrypt for certificate procurement


* named-checkconf
* Security issues in SSL use, awareness of insecure protocols and ciphers


* kill
'''The following is a partial list of the used files, terms and utilities:'''


* host
* Symetric and asymetric cryptography


* dig
* Hash functions
 
* Key exchange algorithms
 
* Perfect forward secrecy
 
* Certification Authorities
 
* ACME, including challenges
 
* openssl
 
* certbot


<br />
<br />


====<span style="color:navy">207.2 Create and maintain DNS zones (weight: 3)</span>====
====<span style="color:navy">208.3 Apache HTTPD Configuration (weight: 4)</span>====


{|
{|
Line 1,114: Line 1,172:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 3
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone and hints for root level servers. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.  
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* BIND 9 configuration files, terms and utilities
* Apache HTTPD 2.4 architecture, configuration files, terms and utilities


* Utilities to request information from the DNS server
* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)


* Layout, content and file location of the BIND zone files
* HTTPS configuration for IP and name-based virtual hosts


* Various methods to add a new host in the zone files, including reverse zones
* Apache log files configuration and content


'''The following is a partial list of the used files, terms and utilities:'''
* Access restriction methods and files


* /var/named/
* Client user authentication files and utilities


* zone file syntax
* Using redirect statements in Apache's configuration files to customize file access


* resource record formats
* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP


* named-checkzone
* mod_php and PHP FPM


* named-compilezone
* mod_python and Python WSGI


* masterfile-format
* Configuration of maximum requests, minimum and maximum servers and clients


* dig
* Awareness of mod_security and mod_evasive


* nslookup
'''The following is a partial list of the used files, terms and utilities:'''


* host
* access logs and error logs
 
* .htaccess
 
* httpd.conf
 
* mod_auth_basic, mod_authz_host and mod_access_compat
 
* htpasswd
 
* AuthUserFile, AuthGroupFile
 
* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile
 
* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable
 
* apachectl, apache2ctl
 
* httpd, apache2


<br />
<br />


====<span style="color:navy">207.3 Securing a DNS server (weight: 2)</span>====
====<span style="color:navy">208.4 NGINX Configuration (weight: 4)</span>====


{|
{|
Line 1,160: Line 1,236:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure a DNS server to run as a non-root user and run in a chroot jail. This objective includes secure exchange of data between DNS servers.
| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.  
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* BIND 9 configuration files
* NGINX architecture, configuration files, terms and utilities


* Configuring BIND to run in a chroot jail
* NGINX virtual host implementation (with and without dedicated IP addresses)


* Split configuration of BIND using the forwarders statement
* HTTPS configuration for IP and name-based virtual hosts


* Configuring and using transaction signatures (TSIG)
* NGINX log files configuration and content


* Awareness of DNSSEC and basic tools
* Access restriction methods and files


* Awareness of DANE and related records
* Client user authentication files and utilities


'''The following is a partial list of the used files, terms and utilities:'''
* Configure redirects


* /etc/named.conf
* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP


* /etc/passwd
* Configuration of maximum requests, minimum and maximum servers and clients


* DNSSEC
'''The following is a partial list of the used files, terms and utilities:'''


* dnssec-keygen
* nginx
 
* dnssec-signzone


<br />
<br />
<br />
<br />


===''Topic 208: HTTP Services''===
===''Topic 209: File Sharing''===


====<span style="color:navy">208.1 Basic Apache configuration (weight: 4)</span>====
====<span style="color:navy">209.1 Samba File Server Configuration (weight: 4)</span>====


{|
{|
Line 1,209: Line 1,283:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to install and configure a web server. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.  
| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.  
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Apache 2.4 configuration files, terms and utilities
* Samba 4 configuration files


* Apache log files configuration and content
* Samba 4 tools and utilities and daemons


* Access restriction methods and files
* Mounting CIFS shares on Linux


* mod_perl and PHP configuration
* Mapping Windows user names to Linux user names


* Client user authentication files and utilities
* User-level security


* Configuration of maximum requests, minimum and maximum servers and clients
* Active Directory membership


* Apache 2.4 virtual host implementation (with and without dedicated IP addresses)
'''The following is a partial list of the used files, terms and utilities:'''


* Using redirect statements in Apache's configuration files to customize file access
* samba, smbd, nmbd, winbindd


'''The following is a partial list of the used files, terms and utilities:'''
* smbcontrol, smbstatus, testparm, smbpasswd


* access logs and error logs
* samba-tool


* .htaccess
* net


* httpd.conf
* smbclient


* mod_auth_basic, mod_authz_host and mod_access_compat
* mount.cifs


* htpasswd
* /etc/samba/
 
* AuthUserFile, AuthGroupFile
 
* apachectl, apache2ctl
 
* httpd, apache2


<br />
<br />


====<span style="color:navy">208.2 Apache configuration for HTTPS (weight: 3)</span>====
====<span style="color:navy">209.2 NFS Server Configuration (weight: 3)</span>====


{|
{|
Line 1,261: Line 1,329:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure a web server to provide HTTPS.  
| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* SSL configuration files, tools and utilities
* NFS version 3 and 4 configuration files


* Generate a server private key and CSR for a commercial CA
* NFS tools and utilities


* Generate a self-signed Certificate
* Access restrictions to specific hosts and/or subnets


* Install the key and certificate, including intermediate CAs
* Mount options on server and client


* Configure Virtual Hosting using SNI
'''The following is a partial list of the used files, terms and utilities:'''


* Awareness of the issues with Virtual Hosting and use of SSL
* /etc/exports


* Security issues in SSL use, disable insecure protocols and ciphers
* exportfs


'''The following is a partial list of the used files, terms and utilities:'''
* showmount


* Apache2 configuration files
* nfsstat


* /etc/ssl/, /etc/pki/
* /proc/mounts


* openssl, CA.pl
* /etc/fstab


* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile
* rpcinfo


* SSLCACertificateFile, SSLCACertificatePath
* mountd


* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable
* portmapper


<br />
<br />
<br />
===''Topic 210: Network Client Management''===


====<span style="color:navy">208.3 Implementing Squid as a caching proxy (weight: 2)</span>====
====<span style="color:navy">210.1 DHCP configuration (weight: 2)</span>====


{|
{|
Line 1,307: Line 1,378:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to install and configure a proxy server, including access policies, authentication and resource usage.
| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Squid 3.x configuration files, terms and utilities
* ISC DHCP configuration files, terms and utilities for DHCPv4


* Access restriction methods
* ISC DHCP configuration files, terms and utilities for DHCPv6


* Client user authentication methods
* radvd configuration files, terms and utilities for IPv6 SLAAC


* Layout and content of ACL in the Squid configuration files
* Subnet and dynamically-allocated DHCP range setup
 
* Subnet and host-specific DHCP range setup
 
* DHCPv4 and DHCPv6 options for PXE boot
 
* Awareness of KEA


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* squid.conf
* dhcpd.conf
 
* dhcpd6.conf


* acl
* dhcpd.leases


* http_access
* dhcpd6.leases
 
* radvd.conf
 
* dhcpd
 
* radvd
 
* DHCP Log messages in syslog or systemd journal


<br />
<br />


====<span style="color:navy">208.4 Implementing Nginx as a web server and a reverse proxy (weight: 2)</span>====
====<span style="color:navy">210.2 PAM authentication (weight: 3)</span>====


{|
{|
Line 1,337: Line 1,424:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 3
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to install and configure a reverse proxy server, Nginx. Basic configuration of Nginx as a HTTP server is included.  
| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Nginx
* PAM configuration files, terms and utilities


* Reverse Proxy
* passwd and shadow passwords


* Basic Web Server
* Use sssd for LDAP authentication


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* /etc/nginx/
* /etc/pam.d/
 
* pam.conf
 
* nsswitch.conf
 
* pam_unix, pam_pwquaity, pam_limits, pam_listfile, pam_sss


* nginx
* sssd.conf


<br />
<br />
<br />


===''Topic 209: File Sharing''===
====<span style="color:navy">210.3 LDAP client usage (weight: 2)</span>====
 
====<span style="color:navy">209.1 Samba Server Configuration (weight: 5)</span>====


{|
{|
Line 1,370: Line 1,460:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 5
| style="background:#eaeaea" | 2
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.  
| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Samba 4 documentation
* Understand key concepts of LDAP


* Samba 4 configuration files
* LDAP utilities for data management and queries


* Samba 4 tools and utilities and daemons
* Change user passwords


* Mounting CIFS shares on Linux
* Querying the LDAP directory


* Mapping Windows user names to Linux user names
'''The following is a partial list of the used files, terms and utilities:'''


* User-Level, Share-Level and AD security
* ldapsearch


'''The following is a partial list of the used files, terms and utilities:'''
* ldappasswd


* smbd, nmbd, winbindd
* ldapadd


* smbcontrol, smbstatus, testparm, smbpasswd, nmblookup
* ldapdelete
 
* samba-tool
 
* net
 
* smbclient
 
* mount.cifs
 
* /etc/samba/
 
* /var/log/samba/


<br />
<br />


====<span style="color:navy">209.2 NFS Server Configuration (weight: 3)</span>====
====<span style="color:navy">210.4 Authentication Mechanisms and Standards (weight: 2)</span>====


{|
{|
Line 1,418: Line 1,496:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 3
| style="background:#eaeaea" | 2
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* NFS version 3 configuration files
* Directory service and authentication standards


* NFS tools and utilities
* Domains and authentication management systems


* Access restrictions to certain hosts and/or subnets
* Web-based authentication standards


* Mount options on server and client
* Multi-factor authentication and one-time passwords (OTP)


* TCP Wrappers
* Understanding the most important properties and use cases of relevant procotols and standards
 
* Awareness of NFSv4


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* /etc/exports
* LDAP


* exportfs
* Kerberos 5


* showmount
* Active Directory


* nfsstat
* FreeIPA


* /proc/mounts
* Oauth2


* /etc/fstab
* OpenID Connect


* rpcinfo
* kinit, klist, kdestroy


* mountd
* pam_oath and pam_otp
 
* portmapper


<br />
<br />
<br />
<br />


===''Topic 210: Network Client Management''===
===''Topic 211: Email Services''===


====<span style="color:navy">210.1 DHCP configuration (weight: 2)</span>====
====<span style="color:navy">211.1 Using Email Servers (weight: 4)</span>====


{|
{|
Line 1,471: Line 1,545:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* DHCP configuration files, terms and utilities
* Configuration files for postfix


* Subnet and dynamically-allocated range setup
* Basic TLS configuration for postfix


* Awareness of DHCPv6 and IPv6 Router Advertisements
* Basic knowledge of the SMTP protocol


'''The following is a partial list of the used files, terms and utilities:'''
* Configure Postfix for SASL authentication using cyrus-sasl


* dhcpd.conf
* Configure nullmailer for email relay


* dhcpd.leases
* Awareness of exim


* DHCP Log messages in syslog or systemd journal
'''The following is a partial list of the used files, terms and utilities:'''


* arp
* Configuration files and commands for postfix


* dhcpd
* /etc/postfix/


* radvd
* /var/spool/postfix/


* radvd.conf
* /etc/aliases
 
* mail-related logs in /var/log/
 
* /etc/sasl2/smtpd.conf
 
* testsaslauthd
 
* nullmailer/me
 
* nullmailer/remotes
 
* nullmailer/defaultdomain


<br />
<br />


====<span style="color:navy">210.2 PAM authentication (weight: 3)</span>====
====<span style="color:navy">211.2 Managing Email Delivery (weight: 2)</span>====


{|
{|
Line 1,511: Line 1,597:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 3
| style="background:#eaeaea" | 2
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.  
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* PAM configuration files, terms and utilities
* Understanding of Sieve functionality, syntax and operators


* passwd and shadow passwords
* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size
 
* Use sssd for LDAP authentication


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* /etc/pam.d/
* Conditions and comparison operators


* pam.conf
* keep, fileinto, redirect, reject, discard, stop


* nsswitch.conf
* Dovecot vacation extension
 
* pam_unix, pam_cracklib, pam_limits, pam_listfile, pam_sss
 
* sssd.conf


<br />
<br />


====<span style="color:navy">210.3 LDAP client usage (weight: 2)</span>====
====<span style="color:navy">211.3 Managing Mailbox Access (weight: 2)</span>====


{|
{|
Line 1,551: Line 1,631:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.  
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* LDAP utilities for data management and queries
* Dovecot IMAP configuration and administration


* Change user passwords
* Basic TLS configuration for Dovecot
 
* Querying the LDAP directory


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* ldapsearch
* /etc/dovecot/


* ldappasswd
* dovecot.conf


* ldapadd
* doveconf


* ldapdelete
* doveadm


<br />
<br />
<br />
===''Topic 212: System Security''===


====<span style="color:navy">210.4 Configuring an OpenLDAP server (weight: 4)</span>====
====<span style="color:navy">212.1 Configuring a router (weight: 4)</span>====


{|
{|
Line 1,585: Line 1,666:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure a basic OpenLDAP server including knowledge of LDIF format and essential access controls.
| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* OpenLDAP
* iptables and ip6tables configuration files, tools and utilities


* Directory based configuration
* Tools, commands and utilities to manage routing tables.


* Access Control
* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)


* Distinguished Names
* Port redirection and IP forwarding
 
* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address


* Changetype Operations
* Save and reload filtering configurations


* Schemas and Whitepages
* Understand the main concepts of firewalld


* Directories
* Use firewalld to implement a simple edge node and router firewall


* Object IDs, Attributes and Classes
* Awareness of ufw and firewalld


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* slapd
* /proc/sys/net/ipv4/


* slapd-config
* /proc/sys/net/ipv6/


* LDIF
* /etc/services


* slapadd
* iptables


* slapcat
* ip6tables


* slapindex
* firewall-cmd


* /var/lib/ldap/
* /etc/firewalld/firewalld.conf
 
* loglevel


<br />
<br />
<br />


===''Topic 211: E-Mail Services''===
====<span style="color:navy">212.3 Advanced Secure shell (SSH) (weight: 3)</span>====
 
====<span style="color:navy">211.1 Using e-mail servers (weight: 4)</span>====


{|
{|
Line 1,636: Line 1,714:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 4
| style="background:#eaeaea" | 3
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to manage an e-mail server, including the configuration of e-mail aliases, e-mail quotas and virtual e-mail domains. This objective includes configuring internal e-mail relays and monitoring e-mail servers.
| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Configuration files for postfix
* OpenSSH configuration files, tools and utilities
 
* Login restrictions for the superuser and the normal users
 
* Using SSH to forward local and remote ports


* Basic TLS configuration for postfix
* Understand the concept of an SSH CA


* Basic knowledge of the SMTP protocol
* Use an SSH CA to manage SSH keys


* Awareness of sendmail and exim
* Awareness of SSH Banners


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* Configuration files and commands for postfix
* ssh
 
* sshd
 
* /etc/ssh/sshd_config
 
* /etc/ssh/


* /etc/postfix/
* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication


* /var/spool/postfix/
* ssh-keygen


* sendmail emulation layer commands
* AuthorizedPrincipalsFile


* /etc/aliases
* TrustedUserCAKeys


* mail-related logs in /var/log/
* Banner


<br />
<br />


====<span style="color:navy">211.2 Managing E-Mail Delivery (weight: 2)</span>====
====<span style="color:navy">212.4 Security tasks (weight: 4)</span>====


{|
{|
Line 1,676: Line 1,764:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to implement client e-mail management software to filter, sort and monitor incoming user e-mail.  
| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.
 
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Understanding of Sieve functionality, syntax and operators
* Tools and utilities to scan and test ports on a server


* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size
* Understand and configure fail2ban


* Awareness of procmail
* Configure systemd units to run with specific privileges


'''The following is a partial list of the used files, terms and utilities:'''
* Configure systemd units with a private /tmp directory


* Conditions and comparison operators
* Use systemd to restrict device access of services


* keep, fileinto, redirect, reject, discard, stop
* Use systemd to manage network accessiability of services


* Dovecot vacation extension
* Awareness of capabilitites and Cgroups


<br />
* Awareness of OpenVAS and Snort


====<span style="color:navy">211.3 Managing Mailbox Access (weight: 2)</span>====
'''The following is a partial list of the used files, terms and utilities:'''


{|
* telnet
| style="background:#dadada" |


'''Weight'''
* nmap


| style="background:#eaeaea" | 2
* fail2ban
|-
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to install and configure POP and IMAP daemons.
* nc
|}


'''Key Knowledge Areas:'''
* User


* Dovecot IMAP and POP3 configuration and administration
* Group


* Basic TLS configuration for Dovecot
* SupplementaryGroups


* Awareness of Courier
* PrivateTmp


'''The following is a partial list of the used files, terms and utilities:'''
* DeviceAllow


* /etc/dovecot/
* IPAddressAllow


* dovecot.conf
* IPAddressDeny


* doveconf
* RestrictNetworkInterfaces


* doveadm
<br />
<br />
<br />


===''Topic 212: System Security''===
====<span style="color:navy">212.5 Virtual Private Networks (weight: 3)</span>====
 
====<span style="color:navy">212.1 Configuring a router (weight: 3)</span>====


{|
{|
Line 1,749: Line 1,829:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* iptables and ip6tables configuration files, tools and utilities
* Understand the concepts of a virtual private network


* Tools, commands and utilities to manage routing tables.
* Understand the different requirements of a site-to-site and an end user VPN


* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)
* Wireguard


* Port redirection and IP forwarding
* Awareness of OpenVPN
 
* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address


* Save and reload filtering configurations
* Awareness of the main differences between OpenVPN and Wireguard


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* /proc/sys/net/ipv4/
* /etc/wireguard/


* /proc/sys/net/ipv6/
* wg


* /etc/services
* wg-quick
 
* iptables
 
* ip6tables


<br />
<br />
<br />


====<span style="color:navy">212.2 Managing FTP servers (weight: 2)</span>====
==Future Change Considerations==


{|
Future changes to the objective will/may include:
| style="background:#dadada" |
 
'''Weight'''
 
| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
 
| style="background:#eaeaea" | Candidates should be able to configure an FTP server for anonymous downloads and uploads. This objective includes precautions to be taken if anonymous uploads are permitted and configuring user access.
|}
 
'''Key Knowledge Areas:'''
 
* Configuration files, tools and utilities for Pure-FTPd and vsftpd
 
* Awareness of ProFTPd
 
* Understanding of passive vs. active FTP connections
 
'''The following is a partial list of the used files, terms and utilities:'''
 
* vsftpd.conf
 
* important Pure-FTPd command line options
 
<br />
 
====<span style="color:navy">212.3 Secure shell (SSH) (weight: 4)</span>====
 
{|
| style="background:#dadada" |
 
'''Weight'''
 
| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
 
| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys and configuring SSH for users. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}
 
'''Key Knowledge Areas:'''
 
* OpenSSH configuration files, tools and utilities
 
* Login restrictions for the superuser and the normal users
 
* Managing and using server and client keys to login with and without password
 
* Usage of multiple connections from multiple hosts to guard against loss of connection to remote host following configuration changes
 
'''The following is a partial list of the used files, terms and utilities:'''
 
* ssh
 
* sshd
 
* /etc/ssh/sshd_config
 
* /etc/ssh/
 
* Private and public key files
 
* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication, Protocol
 
<br />
 
====<span style="color:navy">212.4 Security tasks (weight: 3)</span>====
 
{|
| style="background:#dadada" |
 
'''Weight'''
 
| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
 
| style="background:#eaeaea" | Candidates should be able to receive security alerts from various sources, install, configure and run intrusion detection systems and apply security patches and bugfixes.
|}
 
'''Key Knowledge Areas:'''
 
* Tools and utilities to scan and test ports on a server
 
* Locations and organisations that report security alerts as Bugtraq, CERT or other sources
 
* Tools and utilities to implement an intrusion detection system (IDS)
 
* Awareness of OpenVAS and Snort
 
'''The following is a partial list of the used files, terms and utilities:'''
 
* telnet
 
* nmap
 
* fail2ban
 
* nc
 
* iptables
 
<br />
 
====<span style="color:navy">212.5 OpenVPN (weight: 2)</span>====
 
{|
| style="background:#dadada" |
 
'''Weight'''
 
| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
 
| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}
 
'''Key Knowledge Areas:'''
 
* OpenVPN
 
'''The following is a partial list of the used files, terms and utilities:'''
 
* /etc/openvpn/
 
* openvpn
 
<br />
<br />
 
==Future Change Considerations==
 
Future changes to the objective will/may include:
 
* Extend the amount of NetworkManager covered, i.e. including the CLI
 
* lighttpd would have been too much coverage of web services.  Perhaps reduce Apache next revision to make room.
 
* host level IDS (tripwire, AIDE, etc) to be covered in future LPIC-1.
 
* introduction (or more) to FreeIPA
 
* add coverage of mod_security and mod_evasive to Apache HTTP (maybe as a separate topic: Web Application Firewall)
 
* add coverage of a higher-level firewall package like firewalld or ufw
 
* Reconsider mod_perl
 
* Add firewall-cmd and /etc/firewalld/firewalld.conf related to firewalld to LPIC-2
 
* Awareness of firewalld
 
* Add nmcli and nmtui to LPIC-2
 
* Full coverage of IPv6 auto configuration
 
* Remove djbdns
 
* Advanced shell scripting (sed -e, set -x, set -o, pipefail, PIPESTATUS, declare)
 
* Filesystem quota (similar to the topic removed from LPIC-1)
 
* Understanding of consistency in backups, e.g. for databases
 
* Let's Encrypt for certification procurement
 
* 202.2: Reconsider NVMe booting
 
* 207.1: Consider dropping djbdns and consider unbound
 
* 207.1: /var/named/ is distro-specific
 
* 207.2: Remove creation of root.hints
 
* 207.2: Reconsider nslookup
 
* 207.3: Reconsider chroot
 
* 208.2: Remove CA.pl
 
* 208.2: Remove SNI specialties
 
* 208.2: Remove client certificate options
 
* 208.3: Reconsider the relevance of Squid
 
* 209.1: Remove Samba Share-Level security
 
* 209.1: Remove nmblookup
 
* 210.1: Remove arp
 
* 210.4: Aggregate Whitepages, schemas, classes etc.
 
* 212.2: Remove FTP
 
* 212.3: Remove Protocol
 
* 212.4: Remove bugtraq etc.


* Remove paths to commands and configuration files wherever possible
* Remove paths to commands and configuration files wherever possible

Revision as of 14:24, 17 October 2023

Overview of Tasks

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, LPIC-1 must be obtained in order to receive the certification. Exams may be taken in any order but all of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

  • Administer a small to medium-sized site.
  • Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
    • LAN server (Samba, NFS, DNS, DHCP, client management).
    • Internet Gateway (firewall, VPN, SSH, web cache/proxy, mail).
    • Internet Server (web server and reverse proxy, FTP server).
  • Supervise assistants.
  • Advise management on automation and purchases.


Exams

In order to be certified LPIC-2, the candidate must pass both the 201 and 202 exams and be a holder of an active LPIC-1 certification.


Version Information

These objectives are A DRAFT version 5.0.0.


Addenda



Translations of Objectives

The following translations of the objectives are available on this wiki:

If you would like to help translating the objectives, please contact Fabian



Objectives: Exam 201

Topic 200: System Startup

200.1 Linux Kernel (weight: 2)

Weight

2
Description Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.

Key Knowledge Areas:

  • Understanding the Linux starup process
  • Understanding the Linux kernel architecture, including kernel modules
  • Linux kernel release and versioning scheme
  • Linux kernel modules
  • DKMS
  • udev

Partial list of the used files, terms and utilities:

  • Bootloader
  • Kernel
  • Initramfs
  • Init
  • Udev
  • mkinitramfs
  • uname
  • Module configuration files in /etc/
  • modules.dep
  • depmod
  • modinfo
  • modprobe
  • insmod
  • lsmod
  • rmmod
  • dmesg
  • lshw
  • lspci
  • lsusb
  • udevmonitor
  • udevadm monitor
  • /etc/udev
  • /proc
  • /proc/sys
  • /etc/sysctl.conf, /etc/sysctl.conf.d/
  • sysctl


200.2 Sytemd Startup Configuration (weight: 4)

Weight

4
Description Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.

Key Knowledge Areas:

  • Systemd concepts
  • Systemd unit types (Service, Socket, Target, Slice)
  • Systemd System and User Slices
  • Systemd Override and Drop-In Units
  • Awareness of SystemV init and OpenRC

Partial list of the used files, terms and utilities:

  • /usr/lib/systemd/
  • /etc/systemd/
  • /run/systemd/
  • systemctl
  • systemd-delta


200.3 Bootloaders and System recovery (weight: 4)

Weight

4
Description Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.

Key Knowledge Areas:

  • BIOS and UEFI
  • GRUB version 2
  • GRUB shell
  • GRUB configuration
  • GRUB password security
  • systemd-boot installation
  • systemd-boot configuration
  • boot loader start and hand off to kernel
  • kernel loading
  • hardware initialisation and setup
  • daemon/service initialisation and setup
  • Know the different boot loader install locations on a hard disk or removable device.
  • Overwrite standard boot loader options and using boot loader shells.
  • Use systemd rescue and emergency modes.

Partial list of the used files, terms and utilities:

  • mount
  • fsck
  • The contents of /boot/, /boot/grub/ and /boot/efi/
  • EFI System Partition (ESP)
  • GRUB
  • grub-install
  • bootctl
  • loader.conf
  • efibootmgr
  • efivar
  • UEFI shell
  • initrd, initramfs
  • Master boot record
  • systemctl


200.4 Alternate Bootloaders (weight: 2)

Weight

2
Description Candidates should be aware of other bootloaders and their major features.

Key Knowledge Areas:

  • SYSLINUX, ISOLINUX, PXELINUX
  • Understanding of PXE and iPXE for both BIOS and UEFI

Partial list of the used files, terms and utilities:

  • syslinux
  • extlinux
  • isolinux.bin
  • isolinux.cfg
  • isohdpfx.bin
  • efiboot.img
  • pxelinux.0
  • pxelinux.cfg/
  • uefi/shim.efi
  • uefi/grubx64.efi



Topic 201: Filesystem and Devices

203.1 Operating the Linux filesystem (weight: 4)

Weight

4
Description Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.

Key Knowledge Areas:

  • The concept of the fstab configuration
  • The concept of systemd mount and swap units
  • Configuring systemd automount units
  • Tools and utilities for handling swap partitions and files
  • Use of UUIDs for identifying and mounting file systems

Partial list of the used files, terms and utilities:

  • /etc/fstab
  • /etc/mtab
  • /proc/mounts
  • mount and umount
  • blkid
  • sync
  • swapon
  • swapoff
  • systemctl


203.2 Storage Device Integrity and Encryption (weight: 3)

Weight

3
Description Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.

Key Knowledge Areas:

  • Query, understand and monitor SMART values
  • Understand the concepts and disk and file system encryption
  • Understand the concepts of dm-crypt and LUKS
  • Use LUKS to encrypt storage devices
  • Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)
  • Awareness of WWID, WWN, LUN numbers

Partial list of the used files, terms and utilities:

  • smartd
  • smartctl
  • cryptsetup
  • /etc/crypttab



Topic 202: Advanced Storage Device Administration

204.1 Configuring RAID (weight: 4)

Weight

4
Description Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.

Key Knowledge Areas:

  • Software RAID configuration files and utilities
  • Understanding the RAID levels 0, 1, 5 and 10
  • Awareness of the RAID levels 6, 7 and 50
  • Recovery of a failed RAID device
  • Replacement of a failed disk within a RAID device

Partial list of the used files, terms and utilities:

  • mdadm.conf
  • mdadm
  • /proc/mdstat
  • partition type 0xFD


204.2 Logical Volume Manager (weight: 4)

Weight

4
Description Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.

Key Knowledge Areas:

  • Tools in the LVM suite
  • Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes
  • Creating and maintaining snapshots
  • Activating volume groups

Partial list of the used files, terms and utilities:

  • /sbin/pv*
  • /sbin/lv*
  • /sbin/vg*
  • mount
  • /dev/mapper/
  • lvm.conf


204.3 Basic ZFS Operations (weight: 2)

Weight

2
Description Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.

Key Knowledge Areas:

  • Understand the concepts of ZFS
  • Create and use a ZFS file system
  • Create and manage ZFS subvolumes, including quota
  • Awareness of ZFS RAID features

Partial list of the used files, terms and utilities:

  • VDEV
  • Zpools
  • zfs



Topic 203: Advanced Networking Configuration

205.1 Runtime networking configuration (weight: 3)

Weight

3
Description Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.

Key Knowledge Areas:

  • Understand IPv4 and IPv6 addressing and routing
  • Manage wireless network interfaces
  • Manage links, addresses and routes using iproute2
  • Awareness of VLANs, bridges and bonds

Partial list of the used files, terms and utilities:

  • ip
  • iw
  • iwconfig
  • iwlist
  • wpa_supplicant
  • iwd


205.2 Persistent Network Configuration (weight: 4)

Weight

4
Description Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.

Key Knowledge Areas:

  • Understand the architecture and configuration of NetworkMananger
  • Understand the architecture and configuration of systemd-networkd and systemd-resolved
  • Configure manual IPv4 and IPv6 addresses and routes
  • Configure automatic IPv4 and IPv6 configuration

Partial list of the used files, terms and utilities:

  • nmcli
  • nmtui
  • systemctl
  • networkctl
  • resolvectl
  • hostnamectl
  • Systemd network units


205.3 Network Troubleshooting (weight: 4)

Weight

4
Description Candidates should be able to identify and correct common network setup issues.

Key Knowledge Areas:

  • Determine what network configuration framework a system use
  • Utilities to gain information about the network configuration
  • Identify common issues in network configuration and relate symptoms to configuration issues
  • Awareness of ifupdown, Wicked and netplan

Partial list of the used files, terms and utilities:

  • ip
  • ping
  • ss
  • lsof
  • nc
  • /etc/network/interfaces, /etc/sysconfig/network-scripts
  • mtr
  • hostname
  • /etc/resolv.conf
  • /etc/hosts
  • /etc/hostname, /etc/HOSTNAME



Topic 204: System Maintenance

204.1 Make and install programs from source (weight: 2)

Weight

2
Description Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.

Key Knowledge Areas:

  • Unpack source code using common compression and archive utilities.
  • Understand basics of invoking make to compile programs.
  • Apply parameters to a configure script.
  • Know where sources are stored by default.

Partial list of the used files, terms and utilities:

  • /usr/src/
  • gunzip
  • gzip
  • bzip2
  • xz
  • tar
  • configure
  • make
  • uname
  • install
  • patch


204.2 Backup operations (weight: 3)

Weight

3
Description Candidates should be able to use system tools to back up important system data.

Key Knowledge Areas:

  • Understand the conepts of backups, including common backup strategies
  • Knowledge about directories that have to be included in backups
  • Understand application aspects of backup consistency
  • Understand how to leverage file system or block device snapshots for backups
  • Awareness of borg, including features and use cases
  • Awareness of network backup solutions such as Bacula, Bareos and BackupPC
  • Knowledge of the benefits and drawbacks of tapes, disks or other backup media
  • Perform partial and manual backups using Linux standard tools
  • Verify the integrity of backup files
  • Partially or fully restore backups

Partial list of the used files, terms and utilities:

  • Full, differential and incremental backups
  • dd
  • tar
  • /dev/st* and /dev/nst*
  • mt
  • rsync


204.3 Resource Management (weight: 4)

Weight

4

Description

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

Key Knowledge Areas:

  • Measure CPU, memory, disk and I/O usage.
  • Match / correlate system symptoms with likely problems.
  • Estimate throughput and identify bottlenecks in a system including networking.
  • Manage resource consumption of systemd slices, scopes and services
  • Awareness of Cgroups

Partial list of the used files, terms and utilities:

  • iostat
  • iotop
  • vmstat
  • netstat
  • ss
  • iptraf
  • pstree, ps
  • w
  • lsof
  • top
  • htop
  • uptime
  • sar
  • swap
  • systemctl
  • systemd-cgls
  • CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs
  • MemoryMin, MemoryLow, MemoryHigh, MemoryMax
  • IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec



Topic 205: Configuration Management

205.1 Ansible Basics (weight: 4)

Weight

3
Description Candidates should be able to use Asible to perform basic system configuration management and administration.

Key Knowledge Areas:

  • Understand the principles of automated system configuration and software installation
  • Understand how Ansible interacts with remote systems
  • Understand the requirements of Ansible on a target node
  • Create and maintain inventory files
  • Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers
  • Awareness of dynamic inventory
  • Awareness of cloud-init

Partial list of the used files, terms and utilities:

  • ansible.cfg
  • ansible-playbook
  • ansible-doc


205.2 Ansible Modules (weight: 3)

Weight

3
Description Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.

Key Knowledge Areas:

  • Understand and use Ansible roles and install Ansible roles from Ansible Galaxy
  • Understand and use important Ansible tasks

Partial list of the used files, terms and utilities:

  • file
  • copy
  • template
  • ini_file
  • lineinfile
  • patch
  • replace
  • user
  • group
  • command
  • shell
  • service
  • systemd
  • cron
  • apt
  • debconf
  • yum
  • git
  • debug
  • ansible-galaxy


205.3 Ansible Templates and Variables (weight: 4)

Weight

4
Description Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.

Key Knowledge Areas:

  • Set and use variables and facts
  • Maintain secrets using Ansible vaults
  • Write Jinja2 templates, including using common filters, loops and conditionals

Partial list of the used files, terms and utilities:

  • Jinja2 syntax
  • ansible-vault



Objectives: Exam 202

Topic 207: Domain Name Server

207.1 Basic DNS server configuration (weight: 3)

Weight

3
Description Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.

Key Knowledge Areas:

  • BIND 9.x configuration files, terms and utilities
  • Defining the location of the BIND zone files in BIND configuration files
  • Reloading modified configuration and zone files
  • Awareness of dnsmasq and PowerDNS as alternate name servers

The following is a partial list of the used files, terms and utilities:

  • named.conf
  • rndc
  • named-checkconf
  • kill
  • host
  • dig


207.2 Create and maintain DNS zones (weight: 3)

Weight

3
Description Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.

Key Knowledge Areas:

  • BIND 9 configuration files, terms and utilities
  • Utilities to request information from the DNS server
  • Layout, content and file location of the BIND zone files
  • Various methods to add a new host in the zone files, including reverse zones

The following is a partial list of the used files, terms and utilities:

  • /var/named/
  • zone file syntax
  • resource record formats
  • named-checkzone
  • named-compilezone
  • masterfile-format
  • dig
  • host


207.3 Securing a DNS server (weight: 2)

Weight

2
Description Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.

Key Knowledge Areas:

  • BIND 9 configuration files
  • Split configuration of BIND using the forwarders statement
  • Configuring and using transaction signatures (TSIG)
  • Awareness of DNSSEC and basic tools
  • Awareness of DANE and related records

The following is a partial list of the used files, terms and utilities:

  • /etc/named.conf
  • DNSSEC
  • dnssec-keygen
  • dnssec-signzone



Topic 208: HTTP Services

208.1 HTTP Protocol (weight: 2)

Weight

2
Description Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.

Key Knowledge Areas:

  • Understanding the principles of HTTP version 1.1 and HTTP version 2.0
  • Understanding the principle of virtual hosts
  • Application Server Integration

The following is a partial list of the used files, terms and utilities:

  • HTTP methods and status codes
  • HTTP headers
  • HTTP cookies
  • CGI, FastCGI, WSGI, AJP


208.2 HTTPS, PKI and TLS (weight: 4)

Weight

4
Description Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.

Key Knowledge Areas:

  • Cyptographic concenpts
  • TLS and SNI
  • X.509 certificates, including important fields for HTTPS
  • PKI
  • Generate a self-signed Certificate
  • Generate a server private key and CSR for a commercial CA
  • Install the key and certificate, including intermediate CAs
  • Let's Encrypt for certificate procurement
  • Security issues in SSL use, awareness of insecure protocols and ciphers

The following is a partial list of the used files, terms and utilities:

  • Symetric and asymetric cryptography
  • Hash functions
  • Key exchange algorithms
  • Perfect forward secrecy
  • Certification Authorities
  • ACME, including challenges
  • openssl
  • certbot


208.3 Apache HTTPD Configuration (weight: 4)

Weight

4
Description Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.

Key Knowledge Areas:

  • Apache HTTPD 2.4 architecture, configuration files, terms and utilities
  • Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)
  • HTTPS configuration for IP and name-based virtual hosts
  • Apache log files configuration and content
  • Access restriction methods and files
  • Client user authentication files and utilities
  • Using redirect statements in Apache's configuration files to customize file access
  • Configure reverse proxies for HTTP, FastCGI, WSGI and AJP
  • mod_php and PHP FPM
  • mod_python and Python WSGI
  • Configuration of maximum requests, minimum and maximum servers and clients
  • Awareness of mod_security and mod_evasive

The following is a partial list of the used files, terms and utilities:

  • access logs and error logs
  • .htaccess
  • httpd.conf
  • mod_auth_basic, mod_authz_host and mod_access_compat
  • htpasswd
  • AuthUserFile, AuthGroupFile
  • SSLEngine, SSLCertificateKeyFile, SSLCertificateFile
  • SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable
  • apachectl, apache2ctl
  • httpd, apache2


208.4 NGINX Configuration (weight: 4)

Weight

4
Description Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.

Key Knowledge Areas:

  • NGINX architecture, configuration files, terms and utilities
  • NGINX virtual host implementation (with and without dedicated IP addresses)
  • HTTPS configuration for IP and name-based virtual hosts
  • NGINX log files configuration and content
  • Access restriction methods and files
  • Client user authentication files and utilities
  • Configure redirects
  • Configure reverse proxies for HTTP, FastCGI, WSGI and AJP
  • Configuration of maximum requests, minimum and maximum servers and clients

The following is a partial list of the used files, terms and utilities:

  • nginx



Topic 209: File Sharing

209.1 Samba File Server Configuration (weight: 4)

Weight

4
Description Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.

Key Knowledge Areas:

  • Samba 4 configuration files
  • Samba 4 tools and utilities and daemons
  • Mounting CIFS shares on Linux
  • Mapping Windows user names to Linux user names
  • User-level security
  • Active Directory membership

The following is a partial list of the used files, terms and utilities:

  • samba, smbd, nmbd, winbindd
  • smbcontrol, smbstatus, testparm, smbpasswd
  • samba-tool
  • net
  • smbclient
  • mount.cifs
  • /etc/samba/


209.2 NFS Server Configuration (weight: 3)

Weight

3
Description Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.

Key Knowledge Areas:

  • NFS version 3 and 4 configuration files
  • NFS tools and utilities
  • Access restrictions to specific hosts and/or subnets
  • Mount options on server and client

The following is a partial list of the used files, terms and utilities:

  • /etc/exports
  • exportfs
  • showmount
  • nfsstat
  • /proc/mounts
  • /etc/fstab
  • rpcinfo
  • mountd
  • portmapper



Topic 210: Network Client Management

210.1 DHCP configuration (weight: 2)

Weight

2
Description Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.

Key Knowledge Areas:

  • ISC DHCP configuration files, terms and utilities for DHCPv4
  • ISC DHCP configuration files, terms and utilities for DHCPv6
  • radvd configuration files, terms and utilities for IPv6 SLAAC
  • Subnet and dynamically-allocated DHCP range setup
  • Subnet and host-specific DHCP range setup
  • DHCPv4 and DHCPv6 options for PXE boot
  • Awareness of KEA

The following is a partial list of the used files, terms and utilities:

  • dhcpd.conf
  • dhcpd6.conf
  • dhcpd.leases
  • dhcpd6.leases
  • radvd.conf
  • dhcpd
  • radvd
  • DHCP Log messages in syslog or systemd journal


210.2 PAM authentication (weight: 3)

Weight

3
Description The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.

Key Knowledge Areas:

  • PAM configuration files, terms and utilities
  • passwd and shadow passwords
  • Use sssd for LDAP authentication

The following is a partial list of the used files, terms and utilities:

  • /etc/pam.d/
  • pam.conf
  • nsswitch.conf
  • pam_unix, pam_pwquaity, pam_limits, pam_listfile, pam_sss
  • sssd.conf


210.3 LDAP client usage (weight: 2)

Weight

2
Description Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.

Key Knowledge Areas:

  • Understand key concepts of LDAP
  • LDAP utilities for data management and queries
  • Change user passwords
  • Querying the LDAP directory

The following is a partial list of the used files, terms and utilities:

  • ldapsearch
  • ldappasswd
  • ldapadd
  • ldapdelete


210.4 Authentication Mechanisms and Standards (weight: 2)

Weight

2
Description Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.

Key Knowledge Areas:

  • Directory service and authentication standards
  • Domains and authentication management systems
  • Web-based authentication standards
  • Multi-factor authentication and one-time passwords (OTP)
  • Understanding the most important properties and use cases of relevant procotols and standards

The following is a partial list of the used files, terms and utilities:

  • LDAP
  • Kerberos 5
  • Active Directory
  • FreeIPA
  • Oauth2
  • OpenID Connect
  • kinit, klist, kdestroy
  • pam_oath and pam_otp



Topic 211: Email Services

211.1 Using Email Servers (weight: 4)

Weight

4
Description Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.

Key Knowledge Areas:

  • Configuration files for postfix
  • Basic TLS configuration for postfix
  • Basic knowledge of the SMTP protocol
  • Configure Postfix for SASL authentication using cyrus-sasl
  • Configure nullmailer for email relay
  • Awareness of exim

The following is a partial list of the used files, terms and utilities:

  • Configuration files and commands for postfix
  • /etc/postfix/
  • /var/spool/postfix/
  • /etc/aliases
  • mail-related logs in /var/log/
  • /etc/sasl2/smtpd.conf
  • testsaslauthd
  • nullmailer/me
  • nullmailer/remotes
  • nullmailer/defaultdomain


211.2 Managing Email Delivery (weight: 2)

Weight

2
Description Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.

Key Knowledge Areas:

  • Understanding of Sieve functionality, syntax and operators
  • Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

The following is a partial list of the used files, terms and utilities:

  • Conditions and comparison operators
  • keep, fileinto, redirect, reject, discard, stop
  • Dovecot vacation extension


211.3 Managing Mailbox Access (weight: 2)

Weight

2
Description Candidates should be able to install and configure IMAP daemons.

Key Knowledge Areas:

  • Dovecot IMAP configuration and administration
  • Basic TLS configuration for Dovecot

The following is a partial list of the used files, terms and utilities:

  • /etc/dovecot/
  • dovecot.conf
  • doveconf
  • doveadm



Topic 212: System Security

212.1 Configuring a router (weight: 4)

Weight

4
Description Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.

Key Knowledge Areas:

  • iptables and ip6tables configuration files, tools and utilities
  • Tools, commands and utilities to manage routing tables.
  • Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)
  • Port redirection and IP forwarding
  • List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address
  • Save and reload filtering configurations
  • Understand the main concepts of firewalld
  • Use firewalld to implement a simple edge node and router firewall
  • Awareness of ufw and firewalld

The following is a partial list of the used files, terms and utilities:

  • /proc/sys/net/ipv4/
  • /proc/sys/net/ipv6/
  • /etc/services
  • iptables
  • ip6tables
  • firewall-cmd
  • /etc/firewalld/firewalld.conf


212.3 Advanced Secure shell (SSH) (weight: 3)

Weight

3
Description Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.

Key Knowledge Areas:

  • OpenSSH configuration files, tools and utilities
  • Login restrictions for the superuser and the normal users
  • Using SSH to forward local and remote ports
  • Understand the concept of an SSH CA
  • Use an SSH CA to manage SSH keys
  • Awareness of SSH Banners

The following is a partial list of the used files, terms and utilities:

  • ssh
  • sshd
  • /etc/ssh/sshd_config
  • /etc/ssh/
  • PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication
  • ssh-keygen
  • AuthorizedPrincipalsFile
  • TrustedUserCAKeys
  • Banner


212.4 Security tasks (weight: 4)

Weight

4
Description Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

Key Knowledge Areas:

  • Tools and utilities to scan and test ports on a server
  • Understand and configure fail2ban
  • Configure systemd units to run with specific privileges
  • Configure systemd units with a private /tmp directory
  • Use systemd to restrict device access of services
  • Use systemd to manage network accessiability of services
  • Awareness of capabilitites and Cgroups
  • Awareness of OpenVAS and Snort

The following is a partial list of the used files, terms and utilities:

  • telnet
  • nmap
  • fail2ban
  • nc
  • User
  • Group
  • SupplementaryGroups
  • PrivateTmp
  • DeviceAllow
  • IPAddressAllow
  • IPAddressDeny
  • RestrictNetworkInterfaces


212.5 Virtual Private Networks (weight: 3)

Weight

3
Description Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.

Key Knowledge Areas:

  • Understand the concepts of a virtual private network
  • Understand the different requirements of a site-to-site and an end user VPN
  • Wireguard
  • Awareness of OpenVPN
  • Awareness of the main differences between OpenVPN and Wireguard

The following is a partial list of the used files, terms and utilities:

  • /etc/wireguard/
  • wg
  • wg-quick



Future Change Considerations

Future changes to the objective will/may include:

  • Remove paths to commands and configuration files wherever possible
Retrieved from "https://wiki.lpi.org/w/index.php?title=LPIC-2_Objectives_V5.0&oldid=5747"